Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:server_os_updates [2019/12/10 15:35]
fiserp 		tutorial:adm:server_os_updates [2019/12/16 13:42]
fiserp [Things to consider]
Line 8: Line 8:
 ==== Things to consider ==== ==== Things to consider ====
 Before applying updates, there are few things to consider: Before applying updates, there are few things to consider:
 +  * Impact on users
 +    * IdM is often deployed as a self-service portal for users. You should plan the downtime such that minimal number of users is affected.
 +    * Users may make changes in the IdM that start some long running tasks (e.g. automatic roles changes). Those tasks are executed asynchronously and may be running even if the user who started the task has already logged off.
 +  * Impact on IdM batch jobs (long running tasks - LRT)
 +    * IdM has internal cron that schedules LRT jobs. To make things safe, no job should be running when you are doing the update. The safest way to achieve this is to stop the IdM service before applying updates.
 +    * LRTs run usually at night so it is not entirely necessary to stop the IdM, but you have to make sure you have enough time to perform the patching (and possible rollback) before jobs start to execute.
 +    * Restarting IdM cancels the LRT that was currently running, LRT **will not pick up automatically** after IdM goes up again.
 +  * Impact on OS
 +    * OS may seemingly not boot after the updates (boot or network issues, SSHd/RDP daemon issues). We recommend to have complete backup of ``/boot`` and ``/etc`` directories. Out-of-band access to a machine is a must.
 +    * In our deployments, we use mainly RHEL/CentOS (sometimes Debian) and Windows OSes. If you deploy IdM accordingly (tutorials [[https://wiki.czechidm.com/doku.php?id=start&do=search&q=server+prep|here]] and [[https://wiki.czechidm.com/doku.php?id=start&do=search&q=idm+installation|here]], OS updates are generally painless.
 +    * Packages from OS that IdM deployment uses
 +      * Java (openjdk package referenced through ``/usr/lib/...`` and therefore through ``/etc/alternatives/...``). Java patchset may be updated, bud the version should stay the same (e.g. update ``1.8u27->1.8u90`` is OK, but update ``Java8->Java9`` is not).
 +      * PostgreSQL is installed generally from OS or PGDG repositories and is considered pretty stable. Updating package when PostgreSQL version stays the same is OK. Updating PostgreSQL version (e.g. ``9.6->10``) should be OK, but we recommend at least to make a backup of IdM database (in case you have to rollback the previous PostgreSQL version).
 +      * Apache HTTPD. Deployment should be stable and no special care is needed. We recommend to have a backup of vhost configuration.
  • by fiserp